Bug 1122839 (CVE-2018-17199)

Summary: VUL-1: CVE-2018-17199: apache2: mod_session_cookie does not respect expiry time
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223571/
Whiteboard: CVSSv3:RedHat:CVE-2018-17199:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2018-17199:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-01-23 07:01:43 UTC 
via oss-sec

CVE-2018-17199: mod_session_cookie does not respect expiry time

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.37

Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.

Mitigation:
All httpd users deploying mod_session should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Diego Angulo from ImExHS.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Petr Gajdos 2019-01-24 08:42:15 UTC 
I think
http://svn.apache.org/viewvc?view=revision&revision=1851409
Comment 2 Petr Gajdos 2019-01-24 09:06:08 UTC 
Which code streams holding 2.4 are currently supported?
Comment 4 Petr Gajdos 2019-01-24 10:02:53 UTC 
Will submit for 15,12sp2,12sp1,12/apache2.
Comment 5 Petr Gajdos 2019-01-24 10:05:24 UTC 
Packages submitted. I believe all fixed.
Comment 7 Swamp Workflow Management 2019-02-26 20:13:11 UTC 
SUSE-SU-2019:0498-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.34.4
Comment 8 Swamp Workflow Management 2019-02-27 11:13:00 UTC 
SUSE-SU-2019:0504-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.9.7
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache2-2.4.33-3.9.7
Comment 9 Swamp Workflow Management 2019-03-06 20:12:35 UTC 
openSUSE-SU-2019:0296-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.9.1
Comment 10 Swamp Workflow Management 2019-03-08 14:11:08 UTC 
openSUSE-SU-2019:0305-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-37.1
Comment 12 Swamp Workflow Management 2019-04-05 10:13:52 UTC 
SUSE-SU-2019:0888-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    apache2-2.4.16-20.24.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-04-05 10:15:49 UTC 
SUSE-SU-2019:0889-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1122839,1131239,1131241
CVE References: CVE-2018-17199,CVE-2019-0217,CVE-2019-0220
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    apache2-2.4.10-14.36.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 14 Marcus Meissner 2019-07-18 07:05:30 UTC 
done